Mbedtls/tizenrt patch cleanup

external/include/mbedtls/ecdh.h

@@ -167,8 +167,6 @@ typedef struct mbedtls_ecdh_context {
                                                     if this flag is set. */
 #endif /* MBEDTLS_ECP_RESTARTABLE */
 #endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
-    int MBEDTLS_PRIVATE(server_raw_public_key);  /*!< Use server Raw Public Key. */
-    int MBEDTLS_PRIVATE(client_raw_public_key);  /*!< Use client Raw Public Key. */
 }
 mbedtls_ecdh_context;
 

external/include/mbedtls/mbedtls_config.h

@@ -182,9 +182,7 @@
  * mbedtls_platform_gmtime_r() at compile-time by using the macro
  * MBEDTLS_PLATFORM_GMTIME_R_ALT.
  */
-#ifndef CONFIG_TLS_HAVE_NO_TIME_DATE
 #define MBEDTLS_HAVE_TIME_DATE
-#endif
 
 /**
  * \def MBEDTLS_PLATFORM_MEMORY
@@ -275,7 +273,7 @@
  *
  * Uncomment to get warnings on using deprecated functions and features.
  */
-#define MBEDTLS_DEPRECATED_WARNING
+//#define MBEDTLS_DEPRECATED_WARNING
 
 /**
  * \def MBEDTLS_DEPRECATED_REMOVED
@@ -688,7 +686,7 @@
 #define MBEDTLS_ECP_DP_BP512R1_ENABLED
 /* Montgomery curves (supporting ECP) */
 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
-// #define MBEDTLS_ECP_DP_CURVE448_ENABLED
+#define MBEDTLS_ECP_DP_CURVE448_ENABLED
 
 /**
  * \def MBEDTLS_ECP_NIST_OPTIM
@@ -1091,7 +1089,7 @@
  *
  * Uncomment this macro to disable the built-in platform entropy functions.
  */
-#define MBEDTLS_NO_PLATFORM_ENTROPY
+//#define MBEDTLS_NO_PLATFORM_ENTROPY
 
 /**
  * \def MBEDTLS_ENTROPY_FORCE_SHA256
@@ -2173,7 +2171,6 @@
  *      MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
  *      MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
  *      MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
- *      MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256
  *
  * PEM_PARSE uses AES for decrypting encrypted keys.
  */
@@ -2344,7 +2341,7 @@
  *      MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
  *      MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
  */
-// #define MBEDTLS_ARIA_C
+#define MBEDTLS_ARIA_C
 
 /**
  * \def MBEDTLS_CCM_C
@@ -2368,7 +2365,7 @@
  *
  * Module:  library/chacha20.c
  */
-// #define MBEDTLS_CHACHA20_C
+#define MBEDTLS_CHACHA20_C
 
 /**
  * \def MBEDTLS_CHACHAPOLY_C
@@ -2379,7 +2376,7 @@
  *
  * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
  */
-// #define MBEDTLS_CHACHAPOLY_C
+#define MBEDTLS_CHACHAPOLY_C
 
 /**
  * \def MBEDTLS_CIPHER_C
@@ -2677,7 +2674,7 @@
  *
  * Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C
  */
-// #define MBEDTLS_NIST_KW_C
+#define MBEDTLS_NIST_KW_C
 
 /**
  * \def MBEDTLS_MD_C
@@ -3632,7 +3629,7 @@
 
 /* MPI / BIGNUM options */
 //#define MBEDTLS_MPI_WINDOW_SIZE            2 /**< Maximum window size used. */
-#define MBEDTLS_MPI_MAX_SIZE            512 /**< Maximum number of bytes for usable MPIs. */
+//#define MBEDTLS_MPI_MAX_SIZE            1024 /**< Maximum number of bytes for usable MPIs. */
 
 /* CTR_DRBG options */
 //#define MBEDTLS_CTR_DRBG_ENTROPY_LEN               48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */
@@ -3648,8 +3645,8 @@
 //#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT      384 /**< Maximum size of (re)seed buffer */
 
 /* ECP options */
-#define MBEDTLS_ECP_WINDOW_SIZE            7 /**< Maximum window size used */
-#define MBEDTLS_ECP_FIXED_POINT_OPTIM      1 /**< Enable fixed-point speed-up */
+//#define MBEDTLS_ECP_WINDOW_SIZE            4 /**< Maximum window size used */
+//#define MBEDTLS_ECP_FIXED_POINT_OPTIM      1 /**< Enable fixed-point speed-up */
 
 /* Entropy options */
 //#define MBEDTLS_ENTROPY_MAX_SOURCES                20 /**< Maximum number of sources supported */
@@ -3741,7 +3738,7 @@
 
 /* SSL Cache options */
 //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT       86400 /**< 1 day  */
-#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES      2 /**< Maximum entries in cache */
+//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES      50 /**< Maximum entries in cache */
 
 /* SSL options */
 
@@ -3848,27 +3845,7 @@
  *
  * The value below is only an example, not the default.
  */
-#define MBEDTLS_SSL_CIPHERSUITES                        \
-	/* All AES-256 ephemeral suites */                  \
-	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,    \
-	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,      \
-	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,        \
-	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,    \
-	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,      \
-	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,        \
-	/* All AES-128 ephemeral suites */                  \
-	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,    \
-	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,      \
-	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,        \
-	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,    \
-	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,      \
-	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,        \
-	/* All AES-256 suites */                            \
-	MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,            \
-	MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,            \
-	/* All AES-128 suites */                            \
-	MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,            \
-	MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
+//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 
 /**
  * \def MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE

external/include/mbedtls/mbedtls_tizenrt_config.h

@@ -158,3 +158,62 @@
 /* MBEDTLS_PKCS5_C should be enabled to encrypt TASH password with PBKDF2 */
 #define MBEDTLS_PKCS5_C
 #endif /* CONFIG_MBEDTLS_PKCS5_C */
+
+/* TizenRT-specific overrides vs upstream mbedtls_config.h */
+
+/* Disable MBEDTLS_HAVE_TIME_DATE when the platform has no time/date support. */
+#ifdef CONFIG_TLS_HAVE_NO_TIME_DATE
+#undef MBEDTLS_HAVE_TIME_DATE
+#endif
+
+/* Enable deprecated-API compiler warnings (upstream default: disabled). */
+#define MBEDTLS_DEPRECATED_WARNING
+
+/* Disable Curve448 (not needed on TizenRT targets). */
+#undef MBEDTLS_ECP_DP_CURVE448_ENABLED
+
+/* Always enable platform entropy (upstream default: disabled). */
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+
+/* Disable cipher modules not used on TizenRT. */
+#undef MBEDTLS_ARIA_C
+#undef MBEDTLS_CHACHA20_C
+#undef MBEDTLS_CHACHAPOLY_C
+#undef MBEDTLS_NIST_KW_C
+
+/* Limit MPI size to reduce memory usage. */
+#undef MBEDTLS_MPI_MAX_SIZE
+#define MBEDTLS_MPI_MAX_SIZE            512
+
+/* Tune ECP performance settings. */
+#undef MBEDTLS_ECP_WINDOW_SIZE
+#define MBEDTLS_ECP_WINDOW_SIZE            7
+#undef MBEDTLS_ECP_FIXED_POINT_OPTIM
+#define MBEDTLS_ECP_FIXED_POINT_OPTIM      1
+
+/* Reduce SSL session cache size. */
+#undef MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
+#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES      2
+
+/* Restrict cipher suites to AES-only ephemeral and non-ephemeral suites. */
+#define MBEDTLS_SSL_CIPHERSUITES                        \
+	/* All AES-256 ephemeral suites */                  \
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,    \
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,      \
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,        \
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,    \
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,      \
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,        \
+	/* All AES-128 ephemeral suites */                  \
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,    \
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,      \
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,        \
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,    \
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,      \
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,        \
+	/* All AES-256 suites */                            \
+	MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,            \
+	MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,            \
+	/* All AES-128 suites */                            \
+	MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,            \
+	MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256

external/include/mbedtls/ssl.h

@@ -569,8 +569,6 @@
 
 #define MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH          1
 
-#define MBEDTLS_TLS_CERT_TYPE_RAW_PUBLIC_KEY         2
-
 #define MBEDTLS_TLS_EXT_TRUNCATED_HMAC               4
 #define MBEDTLS_TLS_EXT_STATUS_REQUEST               5 /* RFC 6066 TLS 1.2 and 1.3 */
 
@@ -3307,7 +3305,9 @@ void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
                                mbedtls_x509_crt *ca_chain,
                                mbedtls_x509_crl *ca_crl);
 
+#ifdef MBEDTLS_OCF_PATCH
 void mbedtls_ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert);
+#endif /* MBEDTLS_OCF_PATCH */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
 /**
@@ -3424,7 +3424,7 @@ void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
  */
 int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
                               mbedtls_x509_crt *own_cert,
-                              mbedtls_pk_context *pk_key);                                                     
+                              mbedtls_pk_context *pk_key);
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)

external/include/mbedtls/ssl_ciphersuites.h

@@ -154,8 +154,6 @@ extern "C" {
 #define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256     0xC031 /**< TLS 1.2 */
 #define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384     0xC032 /**< TLS 1.2 */
 
-#define MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256    0xFF00 /**< TLS 1.2 */
-
 #define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA       0xC035
 #define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA       0xC036
 #define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256    0xC037
@@ -298,7 +296,6 @@ typedef enum {
     MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
     MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
     MBEDTLS_KEY_EXCHANGE_ECJPAKE,
-    MBEDTLS_KEY_EXCHANGE_ECDH_ANON,
 } mbedtls_key_exchange_type_t;
 
 /* Key exchanges using a certificate */
@@ -445,7 +442,6 @@ static inline int mbedtls_ssl_ciphersuite_has_pfs(const mbedtls_ssl_ciphersuite_
         case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
         case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
         case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
-        case MBEDTLS_KEY_EXCHANGE_ECDH_ANON:
             return 1;
 
         default:
@@ -539,7 +535,6 @@ static inline int mbedtls_ssl_ciphersuite_uses_ecdhe(const mbedtls_ssl_ciphersui
         case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
         case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
         case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
-        case MBEDTLS_KEY_EXCHANGE_ECDH_ANON:
             return 1;
 
         default:

external/iotivity/iotivity_1.2-rel/resource/csdk/connectivity/api/casecurityinterface.h

@@ -211,18 +211,6 @@ CAResult_t CAregisterGetCredentialTypesHandler(CAgetCredentialTypesHandler getCr
  */
 CAResult_t CASelectCipherSuite(const uint16_t cipher, CATransportAdapter_t adapter);
 
-/**
- * Enable TLS_ECDH_anon_WITH_AES_128_CBC_SHA cipher suite in dtls.
- *
- * @param[in] enable  TRUE/FALSE enables/disables anonymous cipher suite.
- *
- * @retval  ::CA_STATUS_OK    Successful.
- * @retval  ::CA_STATUS_FAILED Operation failed.
- *
- * @note anonymous cipher suite should only be enabled for 'JustWorks' provisioning.
- */
-CAResult_t CAEnableAnonECDHCipherSuite(const bool enable);
-
 
 /**
  * Generate ownerPSK using PRF.

external/iotivity/iotivity_1.2-rel/resource/csdk/connectivity/src/adapter_util/ca_adapter_net_ssl.c

@@ -290,7 +290,6 @@ typedef enum
     SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
     SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
     SSL_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
-    SSL_ECDH_ANON_WITH_AES_128_CBC_SHA256,
     SSL_CIPHER_MAX
 } SslCipher_t;
 
@@ -310,8 +309,7 @@ static const int tlsCipher[SSL_CIPHER_MAX][2] =
     {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, 0},
     {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 0},
     {MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 0},
-    {MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, 0},
-    {MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256, 0}
+    {MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, 0}
 };
 
 static int g_cipherSuitesList[SSL_CIPHER_MAX];
@@ -2246,8 +2244,7 @@ CAResult_t CAdecryptSsl(const CASecureEndpoint_t *sep, uint8_t *data, uint32_t d
 
             int selectedCipher = peer->ssl.session->ciphersuite;
             OIC_LOG_V(DEBUG, NET_SSL_TAG, "(D)TLS Session is connected via ciphersuite [0x%x]", selectedCipher);
-            if (MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != selectedCipher &&
-                MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 != selectedCipher)
+            if (MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 != selectedCipher)
             {
                 char uuid[UUID_LENGTH * 2 + 5] = {0};
                 void * uuidPos = NULL;
@@ -2471,10 +2468,6 @@ static SslCipher_t GetCipherIndex(const uint32_t cipher)
         {
             return SSL_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
         }
-        case MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256:
-        {
-            return SSL_ECDH_ANON_WITH_AES_128_CBC_SHA256;
-        }
         default:
         {
             return SSL_CIPHER_MAX;
@@ -2659,8 +2652,7 @@ CAResult_t CAsslGenerateOwnerPsk(const CAEndpoint_t *endpoint,
     int ivSize = 0;
     int keySize = 0;
     int keyBlockLen = 0;
-    if (MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 == g_caSslContext->selectedCipher ||
-        MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 == g_caSslContext->selectedCipher)
+    if (MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 == g_caSslContext->selectedCipher)
     {
         // 2 * ( 32 + 0 + 16 ) = 96
         macKeyLen = SHA256_MAC_KEY_LENGTH;

external/iotivity/iotivity_1.2-rel/resource/csdk/connectivity/src/caconnectivitymanager.c

@@ -512,23 +512,6 @@ CAResult_t CASelectCipherSuite(const uint16_t cipher, CATransportAdapter_t adapt
     return res;
 }
 
-CAResult_t CAEnableAnonECDHCipherSuite(const bool enable)
-{
-    OIC_LOG_V(DEBUG, TAG, "CAEnableAnonECDHCipherSuite");
-    CAResult_t res = CA_STATUS_FAILED;
-#if defined(__WITH_DTLS__) || defined(__WITH_TLS__)
-    // TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256    0xFF00 replaces 0xC018
-    res = CAsetTlsCipherSuite(enable ? 0xFF00 : 0x00);
-    if (CA_STATUS_OK != res)
-    {
-        OIC_LOG_V(ERROR, TAG, "Failed to CAsetTlsCipherSuite : %d", res);
-    }
-#else
-    OIC_LOG(ERROR, TAG, "Method not supported");
-#endif
-    OIC_LOG_V(ERROR, TAG, "Out %s", __func__);
-    return res;
-}
 
 CAResult_t CAGenerateOwnerPSK(const CAEndpoint_t* endpoint,
                     const uint8_t* label, const size_t labelLen,

external/iotivity/iotivity_1.2-rel/resource/csdk/connectivity/test/ssladapter_test.cpp

@@ -3032,12 +3032,6 @@ static int testCAsetTlsCipherSuite()
         ret += 1;
     }
 
-    status = CAsetTlsCipherSuite(MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256);
-    if (SSL_ECDH_ANON_WITH_AES_128_CBC_SHA256 != g_caSslContext->cipher || status != CA_STATUS_OK)
-    {
-        ret += 1;
-    }
-
     status = CAsetTlsCipherSuite(dummyHandler);
     if (CA_STATUS_FAILED != status)
     {